AT&T-iPad security breach may be worse than first thought

Researchers looking into the security of GSM phone networks are suggesting that the recent breach, which saw tens of thousands of e-mail addresses and ICC-IDs inadvertently disclosed by AT&T, could have far more significant implications than a bit of extra spam: attackers can use the information to learn the names and phone numbers of the leaked users, and can even track their position.

The problem is that ICC-IDs—unique serial numbers that identify each SIM card—can often be converted into IMSIs. While the ICC-ID is nonsecret—it's often found printed on the boxes of cellphone/SIM bundles—the IMSI is somewhat secret. In theory, knowing an ICC-ID shouldn't be enough to determine an IMSI. The phone companies do need to know which IMSI corresponds to which ICC-ID, but this should be done by looking up the values in a big database.

In practice, however, many phone companies simply calculate the IMSI from the ICC-ID. This calculation is often very simple indeed, being little more complex than "combine this hard-coded value with the last nine digits of the ICC-ID." So while the leakage of AT&T's customers' ICC-IDs should be harmless, in practice, it could reveal a secret ID.

What can be done with that secret ID? Quite a lot, it turns out. The IMSI is sent by the phone to the network when first signing on to the network; it's used by the network to figure out which call should be routed where. With someone else's IMSI, an attacker can determine the person's name and phone number, and even track his or her position. It also opens the door to active attacks—creating fake cell towers that a victim's phone will connect to, enabling every call and text message to be eavesdropped.

The iPad's SIMs are going to be used for data, rather than voice, connectivity, which does reduce the impact of the problem a bit—attackers can't eavesdrop on phone calls that don't even exist, and encrypted Internet traffic will remain protected—but the breach does still leave iPad users trackable, and vulnerable to hijacking or eavesdropping of any unencrypted traffic.

This makes AT&T's security problem much more serious than initially thought. The loss of e-mail addresses is annoying for its spam and social engineering opportunities, but given that most of us receive a lot of spam anyway, is unlikely to be disastrous. The loss of the ICC-IDs should have been harmless. But it now seems that that isn't the case. AT&T should send every affected customer a new SIM (that is, one whose IMSI hasn't been disclosed to the world at large). And all phone companies should stop generating IMSIs from ICC-IDs, and instead use database lookups like they're supposed to.

We asked AT&T if the company had plans to replace the SIM cards of customers affected by the hack and were told by a spokesperson that the company has no comment at this time.